{
  "id": "policy/terraform-state-lock-policy-violation",
  "signature": "Error: Error acquiring the state lock. Lock Info: Lock ID: \"abc123\", Operation: OperationNotAllowed: The state lock cannot be acquired because the current user does not have the required permission.",
  "signature_zh": "错误：获取状态锁时出错。锁信息：锁 ID：“abc123”，操作：OperationNotAllowed：无法获取状态锁，因为当前用户没有所需的权限。",
  "regex": "Error acquiring the state lock\\. Lock Info: Lock ID: \"[a-f0-9]+\", Operation: OperationNotAllowed",
  "domain": "policy",
  "category": "auth_error",
  "subcategory": null,
  "root_cause": "The IAM policy on the state storage backend (e.g., GCS bucket or S3 bucket) does not grant the 'storage.objects.create' permission (for GCS) or 's3:PutObject' (for S3) to the service account or user attempting to acquire the lock.",
  "root_cause_type": "generic",
  "root_cause_zh": "状态存储后端（例如 GCS 存储桶或 S3 存储桶）上的 IAM 策略未向尝试获取锁的服务帐户或用户授予 'storage.objects.create' 权限（对于 GCS）或 's3:PutObject'（对于 S3）。",
  "versions": [
    {
      "version": "Terraform 1.5.x",
      "introduced": null,
      "deprecated": null,
      "removed": null,
      "behavior_change": null,
      "status": "active"
    },
    {
      "version": "Google Cloud Storage (GCS)",
      "introduced": null,
      "deprecated": null,
      "removed": null,
      "behavior_change": null,
      "status": "active"
    },
    {
      "version": "AWS S3",
      "introduced": null,
      "deprecated": null,
      "removed": null,
      "behavior_change": null,
      "status": "active"
    }
  ],
  "os_specific": {},
  "dead_ends": [
    {
      "action": "",
      "why_fails": "The force-unlock command also requires the same write permission on the state backend to delete the lock file. If the current user lacks the permission, force-unlock will fail with the same error.",
      "fail_rate": 0.8,
      "condition": "",
      "sources": []
    },
    {
      "action": "",
      "why_fails": "IAM policy changes can take up to 2 minutes to propagate. Additionally, the issue may be at the bucket-level policy, not the project-level. The user may still lack the specific object-level permissions.",
      "fail_rate": 0.5,
      "condition": "",
      "sources": []
    },
    {
      "action": "",
      "why_fails": "This bypasses the lock and can cause state corruption if multiple users run Terraform concurrently. It is a dangerous workaround, not a fix, and may lead to data loss.",
      "fail_rate": 0.9,
      "condition": "",
      "sources": []
    }
  ],
  "workarounds": [
    {
      "action": "Grant the 'roles/storage.objectAdmin' role (for GCS) or 's3:PutObject' and 's3:DeleteObject' permissions (for S3) to the service account on the specific bucket. For GCS: `gsutil iam ch serviceAccount:your-sa@project.iam.gserviceaccount.com:roles/storage.objectAdmin gs://your-terraform-state-bucket`. Then wait 2 minutes and retry.",
      "success_rate": 0.9,
      "how": "Grant the 'roles/storage.objectAdmin' role (for GCS) or 's3:PutObject' and 's3:DeleteObject' permissions (for S3) to the service account on the specific bucket. For GCS: `gsutil iam ch serviceAccount:your-sa@project.iam.gserviceaccount.com:roles/storage.objectAdmin gs://your-terraform-state-bucket`. Then wait 2 minutes and retry.",
      "condition": "",
      "sources": []
    },
    {
      "action": "If using GCS, verify the bucket's IAM policy with `gsutil iam get gs://your-terraform-state-bucket` and ensure the service account has at least 'roles/storage.objectAdmin' or a custom role with 'storage.objects.create' and 'storage.objects.delete' permissions.",
      "success_rate": 0.85,
      "how": "If using GCS, verify the bucket's IAM policy with `gsutil iam get gs://your-terraform-state-bucket` and ensure the service account has at least 'roles/storage.objectAdmin' or a custom role with 'storage.objects.create' and 'storage.objects.delete' permissions.",
      "condition": "",
      "sources": []
    },
    {
      "action": "Switch to a remote backend that supports fine-grained access control (e.g., Terraform Cloud) where lock permissions are managed separately from state storage.",
      "success_rate": 0.7,
      "how": "Switch to a remote backend that supports fine-grained access control (e.g., Terraform Cloud) where lock permissions are managed separately from state storage.",
      "condition": "",
      "sources": []
    }
  ],
  "workarounds_zh": [
    "向服务帐户授予特定存储桶上的 'roles/storage.objectAdmin' 角色（对于 GCS）或 's3:PutObject' 和 's3:DeleteObject' 权限（对于 S3）。对于 GCS：`gsutil iam ch serviceAccount:your-sa@project.iam.gserviceaccount.com:roles/storage.objectAdmin gs://your-terraform-state-bucket`。然后等待 2 分钟并重试。",
    "如果使用 GCS，请使用 `gsutil iam get gs://your-terraform-state-bucket` 验证存储桶的 IAM 策略，并确保服务帐户至少具有 'roles/storage.objectAdmin' 或具有 'storage.objects.create' 和 'storage.objects.delete' 权限的自定义角色。",
    "切换到支持细粒度访问控制的远程后端（例如 Terraform Cloud），其中锁权限与状态存储分开管理。"
  ],
  "transition_graph": {
    "leads_to": [],
    "preceded_by": [],
    "frequently_confused_with": []
  },
  "official_doc_url": "https://developer.hashicorp.com/terraform/language/state/locking",
  "official_doc_section": null,
  "error_code": "OperationNotAllowed",
  "verification_tier": "ai_generated",
  "confidence": 0.88,
  "fix_success_rate": 0.85,
  "resolvable": "true",
  "first_seen": "2023-11-20",
  "last_confirmed": "2024-06-01",
  "last_updated": "2024-06-01",
  "evidence_count": 1,
  "tags": [],
  "locale": "en",
  "aliases": []
}